Affected Vendors

Affected Products

Vulnerability Type

Summary

Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.

In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.

ecom mobile devices are normally used in the corporate network. This implies that outgoing connections and local software installations have to be configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.

However, if a malicious website is accessed, an attacker could gain knowledge of all data in the memory of the mobile device, including passwords.

Solution

Android

Pepperl+Fuchs will release firmware updates for the following products

In case preconfigured server connections / websites exist, they should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.

End users should be restricted in a way such that they can only use the system as configured by administrators.

General access to web pages should be protected through the use of kiosk mode, the use of mobile device management and the use of additional security software. It should be ensured that whitelisted websites do not redirect to untrusted servers / websites.

For Pad-Ex 01 with Microsoft Windows Operating Systems, Microsoft offers security patches which can be directly downloaded from the Microsoft website.

Please note that Microsoft Security patches directly affect machine code execution on the CPU. Be aware of installing these patches, because they might have an impact on system performance or system stability.

This advisory will be updated as further details and/or software updates become available.

Jann Horn (Google Project Zero) and Paul Kocher, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) published the attack on https://meltdownattack.com/